A method for performing network access filtering and/or categorization through guest introspection on a device data compute node (DCN) that executes on a host is provided. The method, through a guest introspector installed on the DCN, intercepts a data message that the DCN is preparing to send. The method identifies a category of the network resource. The method uses the category of the network resource to examine a set of network access policies that are stored on the host in order to determine whether the network access should be allowed. The method identifies a network access policy that requires the rejection of the network access when the access to the network resource causes an aggregate bandwidth for accessing the identified category of network resource to exceed a bandwidth threshold. The method rejects the network access based on the identified network access policy.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the particular GVM executing an application, a guest introspector, a TCP/IP stack and an encryption module, the method comprising: through the guest introspector installed on the particular GVM executing on the host computing device along with a plurality of other GVMs, capturing metadata regarding a data message associated with an attempt by the application to access a network resource, said metadata captured above the TCP/IP stack of the particular GVM before the data message is encrypted by the encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource; using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device in order to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata; through said examination, identifying a network access policy that requires a rejection of the network access; directing the guest introspector to reject the network access; and rejecting, at the guest introspector, the network access based on the identified network access policy.
2. The method of claim 1 , wherein the data message is a first data message, the network access is a first network access, and the metadata is a first set of metadata, the method further comprising: through the guest introspector, capturing a second set of metadata, before the second set of metadata is encrypted by the encryption module of the particular GVM, regarding a second data message associated with a second network access attempt, wherein the second set of metadata comprises a second URL associated with the network resource associated with the second network access attempt; using, at the service module, the second URL in the captured second set of metadata to examine the set of network access policies to determine whether the second network access should be allowed; and allowing the second network access after the examination does not identify a network access policy that requires the rejection of the second network access attempt and sending the second data message to the encryption module.
3. The method of claim 1 , wherein the guest introspector is a network introspector that captures the metadata through a set of filters that is defined above the TCP/IP stack of the particular GVM.
4. The method of claim 1 , wherein the guest introspector is a network introspector that captures the metadata through a filter that is defined as a transport layer library filter.
5. The method of claim 3 , wherein the set of filters includes a filter that is defined in a library that handles layer 5 or higher layer communication protocol operations.
6. The method of claim 1 , wherein the service module is a service virtual machine.
7. The method of claim 1 , wherein the network resource is a website, wherein using the captured metadata further comprises using the captured metadata to determine whether accessing the website is allowed by the set of network access policies.
8. The method of claim 1 , wherein the network resource is a website, wherein using the captured metadata further comprises using the captured metadata to determine whether accessing the website by an application of the particular GVM that is attempting the network access is allowed by the set of network access policies.
9. The method of claim 1 , wherein the network resource is a website, wherein using the captured metadata further comprises using the captured metadata to determine whether accessing the website by a user that is using the particular GVM while the network access is being attempted is allowed by the set of network access policies.
10. The method of claim 1 , wherein the network resource is a file that contains content that is intended for the attempted network access, wherein using the captured metadata comprises determining whether accessing the file is allowed by the set of network access policies.
11. The method of claim 1 , wherein the network resource is a file that contains content that is intended for the attempted network access, wherein using the captured metadata comprises determining whether accessing the content of the file is allowed by the set of network access policies.
12. A non-transitory machine readable medium for storing a program for filtering network access on a host computing device on which a particular guest virtual machine (GVM) executes, the program comprising sets of instructions for: capturing, through a guest introspector installed on the particular GVM, metadata regarding a data message associated with an attempt to access a network resource, said metadata captured above a TCP/IP stack of the particular GVM before the data message is encrypted by an encryption module of the particular GVM, wherein the metadata comprises a URL associated with the network resource; using, at a service module that executes on the host computing device, the URL in the captured metadata to examine a set of network access policies stored on the host computing device to identify a network access policy to analyze to determine whether the network access should be allowed, wherein capturing the metadata before the metadata is encrypted allows the captured metadata to be used to examine the set of network access policies without decrypting the metadata; based on an identified network access policy, determining that the network access should be rejected; directing the guest introspector to reject the network access; and rejecting, at the guest introspector, the network access based on the identified network access policy.
13. The non-transitory machine readable medium of claim 12 , wherein the data message is a first data message, the network access attempt is a first network access attempt, and the metadata is a first set of metadata, wherein the program further comprises sets of instructions for: capturing, through the guest introspector, a second set of metadata regarding a second data message associated with a second network access attempt, said second set of metadata captured before the second data message is encrypted by the encryption module of the particular GVM, wherein the second set of metadata comprises a second URL associated with the network resource associated with the second network access attempt; using, at the service module, the second URL in said captured second set of metadata to examine the set of network access policies to identify a network access policy to analyze to determine whether the second network access should be allowed; allowing, at the guest introspector, the second network access after the examination using the second set of metadata does not identify a network access policy that requires the rejection of the second network access attempt; and providing the second data message to the encryption module.
14. The non-transitory machine readable medium of claim 12 , wherein the network resource is a website, wherein the set of instructions for using the URL in the captured metadata further comprises a set of instructions for using the URL in the captured metadata to determine whether accessing the website is allowed by the set of network access policies.
15. The non-transitory machine readable medium of claim 12 , wherein the network resource is a website, wherein the set of instructions for using the URL in the captured metadata comprises a set of instructions for using the URL in the captured metadata to determine whether accessing the website by an application of the particular GVM that is attempting the network access is allowed by the set of network access policies.
16. The non-transitory machine readable medium of claim 12 , wherein the network resource is a website, wherein the set of instructions for using the URL in the captured metadata further comprises a set of instructions for using the URL in the captured metadata to determine whether accessing the website by a user that is using the particular GVM while the network access is being attempted is allowed by the set of network access policies.
17. The non-transitory machine readable medium of claim 12 , wherein the network resource is a file that contains content that is intended for the attempted network access, wherein the set of instructions for using the URL in the captured metadata comprises a set of instructions for determining whether accessing the file is allowed by the set of network access policies.
18. The non-transitory machine readable medium of claim 12 , wherein the network resource is a file that contains content that is intended for the attempted network access, wherein the set of instructions for using the URL in the captured metadata comprises a set of instructions for determining whether accessing the content of the file is allowed by the set of network access policies.
19. The non-transitory machine readable medium of claim 12 , wherein the service module is a service virtual machine.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
July 30, 2015
March 31, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.